AES must be enabled on the user account that holds the SPN.

Domain functional level must be 2008 or higher.

Domain functional level before 2008 does not support AES encryption.

To find the domain functional level, right-click on the root of the domain, and choose properties.

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files  must be in place

Replace local_policy.jar and US_export_policy.jar in

$JAVA/HOME/jre/lib/security/ 

The service must be restarted to apply the new policies.